DualCF: Efficient Model Extraction Attack from Counterfactual Explanations

TL;DR

This paper introduces DualCF, a novel querying strategy that efficiently extracts models from cloud-based MLaaS platforms by leveraging counterfactual explanations and their counterfactuals, reducing query complexity and improving fidelity.

Contribution

The paper proposes the DualCF strategy that addresses decision boundary shift issues by using pairs of counterfactual explanations and their counterfactuals for more efficient model extraction.

Findings

DualCF achieves high-fidelity model extraction with fewer queries.

Experimental results show DualCF outperforms existing strategies.

The approach is effective on both synthetic and real-world datasets.

Abstract

Cloud service providers have launched Machine-Learning-as-a-Service (MLaaS) platforms to allow users to access large-scale cloudbased models via APIs. In addition to prediction outputs, these APIs can also provide other information in a more human-understandable way, such as counterfactual explanations (CF). However, such extra information inevitably causes the cloud models to be more vulnerable to extraction attacks which aim to steal the internal functionality of models in the cloud. Due to the black-box nature of cloud models, however, a vast number of queries are inevitably required by existing attack strategies before the substitute model achieves high fidelity. In this paper, we propose a novel simple yet efficient querying strategy to greatly enhance the querying efficiency to steal a classification model. This is motivated by our observation that current querying strategies suffer from decision boundary shift issue induced by taking far-distant queries and close-to-boundary CFs into substitute model training. We then propose DualCF strategy to circumvent the above issues, which is achieved by taking not only CF but also counterfactual explanation of CF (CCF) as pairs of training samples for the substitute model. Extensive and comprehensive experimental evaluations are conducted on both synthetic and real-world datasets. The experimental results favorably illustrate that DualCF can produce a high-fidelity model with fewer queries efficiently and effectively.